CISOs band together to beat hackers at their own game

While Batman and Superman are slugging it out on the big screen, 122 CISOs from across the country’s top IT companies are engaged in a battle of their own. These “un-caped crusaders” have formed a vigilante group to collaborate and take on the bad guys.  

Nearly 72 percent of Indian companies faced a cyber-attack in 2015, and with the onset of SMAC, the surface area prone to attacks in a company has increased drastically. Currently, India ranks among the top three countries in terms of susceptibility to cyber-attacks.

In a tête-à-tête with CIO India, Burgess Cooper, Partner, Information Security, EY India, revealed the looming threat faced by Indian enterprises and shared his two cents’ worth on what security heads at the country’s top IT companies can do to counter this.

“As you migrate to the cloud, expand your media channels, incorporate mobility, your attack surface goes exponentially up,” explained Cooper.

It’s no secret that hackers work together and share their expertise on clandestine forums on the dark side of the moon or the net (Take your pick). So, what do security heads have to do in order to stand up and stave off breaches?

Make no mistake, dear CISO, your organization is just as vulnerable as the next one. What makes it easier for hackers to breach defenses is that around 68 percent of CEOs are unwilling to share cybersecurity information with their peers, as revealed by an IBM study.

Vigilantes join forces

“If hackers can collaborate, why can’t security heads?” This seemingly simple question is the rationale behind the formation of the CISO group. Today, the group has 122 members, and this is necessary to build stronger defenses, according to Cooper.

“In any warfare, intelligence is key. If you know about a particular vulnerability in the system, and work quickly to patch that vulnerability, you’re that much safe,” he explained. “The idea is to not fight the war in isolation, but to fight the war with friends who may have fought the war earlier.”

The idea behind the group is to have leading CISOs collaborate together to strategize, share best practices, and innovate to keep hackers at bay.  

 “The moment any vulnerability exists anywhere in the world, we inform each other through the network. It’s an early warning system. If some company has undergone an attack, fellow CISOs give the right kind of advice, who may have suffered the same kind of attack at an early point in time,” stated Cooper.

However, do bear in mind that cyber-resilience is not just the CISO’s cross to bear. Cyber resiliency must be considered as a board-level issue. The company should be able to track the risks and measure its defenses again. It cannot be left only to the IT dept.

“Firstly, the tone has to be set form the top. Secondly, companies should make investments in people, processes, and technologies. Earlier, companies were spending lots of money in prevention controls alone,” explained Cooper. The companies later realized that they cannot really prevent an attack, and there aren’t too many companies in the world that are completely resilient to an unforeseen attack.

“If you start fighting at the IT level, you’ll lose the game. Make it a business issue, and get the right support from across the board,” maintained Cooper. “Once the company views it as a threat to its existence and survival, with the possibility of share prices plummeting, then, it’s a far more unified approach.”

Also read: Cybersecurity whistleblowers: Get ready for more

But what about the competition? Won’t CISOs from competing organizations get caught up in the board games?

“There’s no competition amongst us. It’s just that some participate more, but few hold back. If somebody asks for help, some may share the response openly on the forum, whereas some may call the person individually and discuss the past occurrence. The person asking for help gets the right kind of advice, and promptly so,” clarified Cooper.

Takeaways for CISOs

“Once you ensure that cyber-security becomes a board-level issue, not just an IT-issue, frame a clearly defined strategy on how you respond for each type of stakeholder, not just a CISO. A CISO would be the person defending the attack, but he would need the right support from across the company,” said Cooper.

Take for instance, Corp Comm. It needs to frame the right response strategy to the market; the HR should get the right skills in place in the team; the IT team for the framework; and the legal team for the correct course of action.

However, Cooper emphasized on the fact that the CISO must stay abreast of the current trends in the industry, and the changing trends as they occur. Every few months, a new type of threat looms. The CISO’s job is to be alert and be aware of all the new-age threats, not just to his own company, but also to the industry.

After that, a CISO ought to monitor and measure his progress on a regular basis. And this, can be done by participating in cyber-attack simulations.

It’s simply a question of when, not if. So, when the company faces a real attack, the CISO doesn’t have to run helter-skelter. He knows the scenario inside out, knows whom to call, and what to do. “The system ought to function like a well-oiled machine, even in the CISO’s absence,” stated Cooper.

So, do CISOs in India choose to play the ostrich, turning away from the problems, or is there something more deep-rooted?

“I would say all CISOs have always been proactive in identifying that security is needed, and to stay on top of their game. However, some of them may not have had the right support at the CXO-levels,” said Cooper.

The good news is that, that support is now slowly increasing, after CXOs have identified the impact an attack can have on the whole organization.

After all, we’re not strangers to situations where CEOs have had to resign, and the share prices of the company plummeted following a breach.

 Impact of mobility on cyber-security

Cooper believes that CXOs and CISOs have to embrace the fact that mobility is here to stay, and there are no two ways about it. And fortunately, they have good controls in place in terms of mobile secure device management.

But the fact they need to recognize is that you cannot protect everything in life. “Make a crown jewels program, and put controls around it.”

“This is in fact one more opportunity for a CISO to display his strength and prove his ability,” he added.

So, fret not, dear CISO. It’s just another feather waiting to be added to your cap.